Closed orolhawion closed 1 year ago
The service might be using a different hash algorithm. You can use the --hash
option for register
to select a different algorithm (default: SHA1
). If this does not help, we would need to know the service you use. If you don’t want to share it here, you can also send a mail to me directly or to support@nitrokey.com.
I tried Gitlab and GitHub, both are wrong. I also added the secret to my YubiKey 5 with the default options (sha1, 6 digits, totp), the codes from the YubiKey are different from the Nitrokey codes and valid for login. can you reproduce this with a GitHub account?
the only difference between the Nitrokey and YubiKey procedure is that for Nitrokey I have to provide the secret base32 encoded whereas the YubiKey just takes the secret string.
I just tested it on GitHub and I did not have any issues.
the only difference between the Nitrokey and YubiKey procedure is that for Nitrokey I have to provide the secret base32 encoded whereas the YubiKey just takes the secret string.
How do you determine the secret? The secret in the QR code generated by GitHub already is Base32-encoded. Maybe you just have to drop the encoding step?
My password manager saves the URL otpauth://... that includes a variable named secret with a value which I presume to be the secret. skipping the base32 part fixed it for GitHub but not for Gitlab.
Hi! The OTP implementation used in the Nitrokey 3 firmware was tested against the test vectors provided in the specification for SHA1, so I expect this is some pynitrokey's UI/UX issue. Can you provide the rest of the URL (with the secret removed) for Gitlab? Perhaps other parameters have changed as well, like the mentioned algorithm or the number of digits.
I think it would be a good idea to have the whole URL interpreted by pynitrokey directly, instead of asking user to divide it properly. Moving to pynitrokey project.
Gitlab works for me too. You just have to remove the spaces from the secret displayed in the UI (or use the secret from the OTP URL). Can you share the arguments you used to create the secret on the NK3?
I think it would be a good idea to have the whole URL interpreted by pynitrokey directly, instead of asking user to divide it properly.
Gitlab works for me too. You just have to remove the spaces from the secret displayed in the UI (or use the secret from the OTP URL). Can you share the arguments you used to create the secret on the NK3?
When I just use the secret I get:
nitropy nk3 secrets register microsoft $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Non-base32 digit found')
That made me think that I should encode to base32 manually which creates an otp credential on the nitrokey but gives a wrong OTP.
The following secrets do not work as expected:
otpauth://totp/some.gitlab.de:my@mail.de?secret=mysecret&issuer=some.gitlab.instance
otpauth://totp/some%20companyname%3Amy%40mail.de?secret=mysecret&issuer=Microsoft
And how did you create the secret on your NK3? I. e. which arguments did you pass to nitropy
?
as stated above, I put the trimmed secret into a file (bb) and called cat or base32 on the file:
$ nitropy nk3 secrets register microsoft $(cat bb)
For github this works, for Microsoft and gitlab it does not.
nitropy nk3 secrets register microsoft $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Non-base32 digit found')
This is very suspicious. The secret in a OTP URI must be base32-encoded according to the spec. So if you extracted the contents of bb
from the OTP URI, this error should not occur.
Perhaps every otp Uri is suspicious that contains secrets which are not capitalized, at least this applies for all secrets that are not working.
The secrets that are not working seem to be base64 encoded. when I try to decode with base32 I get invalid input
. When I try to decode with base64 I don't.
I believe the problem is the following: some secrets in otpauth:// Uris are not uppercased which causes an error when trying to create an otp credential from it. when I provide my microsoft secret uppercased, everything works as expected. Perhaps you could uppercase the secret as this would meet the requirements for a base32 encoded string.
I also get this on some secrets that seem to be ok:
~|⇒ nitropy nk3 secrets register dropbox $(cat bb) Command line tool to interact with Nitrokey devices 0.4.36 Critical error: An unhandled exception occurred Exception encountered: Error('Incorrect padding')
I’ve created two issues to improve the UI:
I think this should fix your problem, so I’m closing this ticket. Please reopen if you run into any other issues. And thanks for the feedback!
I have issues with getting the secrets app to work on my Nitrokey 3C NFC, or at least it is not working as I would expect it to. I did the following:
The file 'MyApp' contains the trimmed OTP secret.
The OTP 204269 is different from what my password manager shows and is invalid for login.
What am I doing wrong?